在web.xml中设置"HttpOnly"和"Secure" [英] Setting 'HttpOnly' and 'Secure' in web.xml

问题描述

我需要将'HttpOnly'和'Secure'属性设置为'true'，以防止和 CWE-402:将私有资源传输到新领域的缺陷来自于Veracode报告中的显示.

I need to have the 'HttpOnly' and 'Secure' attributes set to 'true' to prevent the CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute and CWE-402: Transmission of Private Resources into a New Sphere flaws from showing in the Veracode report.

进行一些在线搜索之后，似乎最好的方法是简单地如下设置项目的web.xml文件中的属性:

After doing some online searching, it seems that the best thing to do is to simply set the attributes in the project's web.xml file as follows:

<session-config>
    <cookie-config>
        <http-only>true</http-only>
        <secure>true</secure>
    </cookie-config>
 </session-config>

但是，我在开始标签上收到一条错误消息，提示 元素类型"session-config"的内容必须与(session-timeout)?"

However, I get an error message on the opening tag saying that "The content of element type "session-config" must match "(session-timeout)?".

我不确定这到底是什么意思.我猜想它与元素的顺序有关，但我真的不知道如何解决它.

I'm not sure what that means exactly. I'm guessing it has something to do with the order of elements but I don't really know how to fix it.

有什么想法吗?

谢谢！

推荐答案

仅在http-servlet规范3中提供对安全和仅http属性的支持.请检查web.xml中的version属性是否为"3.0".

The support for secure and http-only attribute is available only on http-servlet specification 3. Check that version attribute in your web.xml is "3.0".

<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:schemaLocation="http://java.sun.com/xml/ns/javaee 
            http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
     version="3.0">

这篇关于在web.xml中设置"HttpOnly"和"Secure"的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！